Traditionally, there is a disconnect between teams responsible for delivering systems and those focused on security and governance. However, this arrangement does not suggest that the former group considers security or governance objectives insignificant. Instead, the contrast manifests in how the teams execute their activities and what they deem successful outcomes. For example, the one group strives to swiftly build and release software that meets expectations, emphasising the end-user value proposition. While the other mandates the introduction of controls to assure system integrity, risk management, and alignment with the prevailing Enterprise Governance of Information Technology (EGIT) system.
Requirements centring on EGIT are often unfairly perceived as impediments to delivery cadence due to the actions and evidence collection needed to assure software products, runtime environments, and operational practices align with stakeholder concerns. This situation begs the question. How is the industry evolving to remove the inherent friction that still exists between these domains? Well, thankfully, a lot.
The move to public cloud providers like the market-leading AWS has empowered organisations to realise benefits such as cost optimisation, operational resilience, and increased business agility. For instance, a 2020 AWS APJ Benchmarking Survey finds a 37.6% average increase in deployment frequency. This metric represents one of the four key dimensions differentiating low, medium, and high performing software development organisations. In addition, there is an emphasis on improving security posture; security is one of the five pillars of the AWS Well-Architected framework. These advancements have a runtime focus or broadly support an effective software delivery process.
In comparison, the steps required to advance EGIT remain unclear. Yet, emerging patterns and techniques promoted by the adoption of the cloud do show improvements based on what we witness in the industry.
Establish a solid foundation for governance
Trends suggest that businesses are now reassessing their cloud adoption initiatives. This change in focus accompanies the initial surge of cloud migration that frequently involved infrastructural "lift-and-shifts", with minimal architecture refinement whilst adhering to pre-existing operating models. As a result, operations are evolving to accommodate the nuances of the cloud ecosystem and application architectures refactored to display cloud-native architectural characteristics.
A notable focal area has been the reorganisation of cloud landscapes, often referred to as landing zones. Well-defined landing zones express a standardised multi-account environment based on secured cloud infrastructure, best practice guidelines, and arguably more easily governed. Initially, organisations were left to formulate what constituted a well-architected landing zone independently. However, patterns and anti-patterns have emerged, making this process easier, quicker, and more economical to implement without 'reinvent the wheel'. This evolution is evident in the large-scale adoption of services such as AWS' Control Tower. Control Tower offers a predictable and low-risk method for landing zone definition to support the controls and systems required for good governance.
Reposition governance as a shared responsibility
AWS's shared responsibility model for security is well known, as is the drive to "shift left on security" to incorporate security practices into the software development lifecycle directly. As such, it seems natural that governance will benefit from a similar alteration in perception and approach.
There are typically three forms of controls that support EGIT at the implementation/runtime level. These include detective controls, preventative controls, and direct software or resource configuration attributes. Governance and DevOps teams should collaborate more closely and continually define, design, implement, and observe policies and controls. The controls and related processes should promote conformance but not introduce obstacles to software delivery velocity and overall effort. For instance, creating mechanisms that detect, prevent, or automatically remediate data stores that are not encrypted-at-rest. If these measures are elegant and practical, software development staff will be aware of expectations and unlikely to deliver databases that are not encrypted mistakenly. Other examples involve discovering ways to encourage software development innovation, experimentation, and creativity yet do so in a manner that maintains integrity and provide the means to bypass controls when required and authorised.
Centralised control, monitoring and reporting
Uniform and consistent oversight of environments, even as their scale increases or become markedly more distributed in their composition, is a necessity. Likewise, designing observable solutions is also no longer optional. The collection, analysis, and reaction to telemetry are essentially mandatory. There are many examples of businesses that have evolved service or operational models to rely on such properties. As a result, the definition and assessment of service-level argreements (SLAs) are now more precise.
While security-related spending should be easy to defend, this is regularly not the case given the very nature of the problem it seeks to mitigate. For example, evaluating development and operational expenses results in tangible outcomes such as new features or predictable releases. Yet, security aims to prevent undesirable events and consequences. Thus, while the lack of evidence may represent success, this is not necessarily the situation. This trait further applies to resources allocated to governance.
These conditions justify the centralisation of services for security, architectural assessment, control definition and application, monitoring, and reporting. Furthermore, consolidation and automation facilitate consistent practices regardless of scale. Moreover, specific metrics should be defined and measured to provide evidence on the effectiveness of security and governance controls, thus sustaining budget allocation and spend. For example, intrusion attempts and control violations that are detected or prevented. Finally, a well-designed landing zone and managed service environment with accurately configured services cater to these requirements. However, this represents an area where patterns are not yet as established or understood in the industry.
Good looks good for all
There is a misconception that governance belongs within large enterprises. Either this perception is from a cost perspective or the regulatory space where these organisations operate. This view could not be further from the truth. Governance encompasses a system that defines how an organisation is controlled, managed, and held to account. Elements cover addressing shareholder concerns, risk management, security, and administration effectiveness. The security, data protection and risk management aspects alone warrant governance becoming a universal matter.
The public cloud has lowered the costs and complexity associated with performing an EGIT system. There is no longer a justifiable reason for smaller organisations not to implement fundamental aspects such as the segregation of production and non-production workload environments, applying detective and preventive controls, or assuming a first-class security posture. It is almost negligent not to do so.
Ultimately, good really does look similar for everyone.